NT IIS MDAC System Privileges Vulnerability

[_/info\_] [_/discussion\_] [_/exploit\_] [_/solution\_]
[_/credit\_] [_/help\_]

MDAC  (Microsoft  Data  Access Components)  is  a package
used  to integrate web and database services. It includes
a  component named RDS (Remote Data Services). RDS allows
remote  access  via  the  internet  to  database  objects
through  IIS. Both are included in a default installation
of  the Windows NT  4.0 Option Pack, but  can be excluded
via a custom installation.

RDS  includes a component called  the DataFactory object,
which  has a vulnerability that  could allow any web user
to:
--Obtain  unauthorized access to unpublished files on the
IIS server
--Use  MDAC to  tunnel ODBC requests through  to a remote
internal  or external location,  thereby obtaining access
to  non-public servers or effectively  masking the source
of an attack on another network.

The main risk in this vulnerability is the following:
--If  the  Microsoft  JET OLE  DB  Provider  or Microsoft
DataShape  Provider are  installed, a user  could use the
shell()   VBA   command   on  the   server   with  System
privileges.  (See the  Microsoft JET Database  Engine VBA
Vulnerability    for   more   information).   These   two
vulnerabilities  combined  can allow  an attacker  on the
Internet  to  run  arbitrary commands  with  System level
privileges on the target host.

Note  that while MDAC 2.x  is not vulnerable, the upgrade
process  from MDAC  1.5 leaves the  vulnerability intact.
For  MDAC  2.x to  be  secure it  must be  installed from
scratch, not via an upgrade.

           Copyright 1999 Security-Focus.Com, All Rights Reserved
                                disclaimer